Harnessing third-parties for value creation

Instituting your extended enterprise risk management (EERM) program

For many organizations, the global third-party ecosystem (known as the extended enterprise) has grown larger and more complex. It’s also become an important source of strategic advantage. But managing this extended enterprise has become increasingly challenging. One solution: extended enterprise risk management, which can help organizations better anticipate and manage exposures associated with third-parties across the full range of operations.

Explore Content

Instituting your extended enterprise risk management program

Disruptive events have led to business continuity issues, reputational damage, and regulatory enforcement actions and penalties. Third-party risk (as well as fourth- or fifth-party risk deeper in the extended enterprise ecosystem) may have been considered isolated risks to specific areas of the business. But in some “headline” news stories involving damaged corporate reputations, the culprit often wasn’t the organization itself but a third-party provider.

Learning to recognize, anticipate, and manage extended enterprise risk can help dramatically reduce exposure. It can also lead to business improvements that can drive value creation.

How can you accelerate your EERM program? And how can EERM help your organization improve financial performance, reduce regulator and stakeholder scrutiny, enhance brand and reputation, and optimize margins and cost control? Continue to read below to find out how risk powers performance.

Why should you implement or accelerate your EERM program as soon as possible?

Many factors motivate companies to implement or accelerate an EERM program. But they come down to profitability, exposure, and cost. There’s a real need to focus on EERM now because of the rapid increase in the number of connections beyond the walls of your organization—and beyond the walls of your business partners. Historically, third-parties were relegated to less critical functions or considered risks outside your control. Today, the role of third-parties in core functions that sit close to strategy and value creation is on the rise. Adding to this complexity is an ever-growing global organizational footprint for many enterprises that have branches or representatives on multiple continents.

Third-parties, themselves, are subject to the same trends. That means your enterprise may be dependent on widely dispersed fourth or even fifth-parties. Risk is no longer a concern solely with respect to the third-parties you’re directly doing business with. It’s also a concern with respect to your third-parties’ suppliers and partners. That translates into a startling level of global complexity that’s beyond the scope of much risk management thinking.

What’s the upside of strengthening EERM?

Improved financial performance: Joint ventures, business partnerships, franchise agreements, and other third-party relationships are investments—and should be managed to maximize a return. How the relationship is defined, executed, and governed is directly linked to the profitability and financial performance of the relationship. EERM involves assessment of enterprise and operational risks—before and during the relationship—with respect to the structure, objectives, and operating priorities (including expected outcomes and results) of the relationship.

Reduced regulator and stakeholder scrutiny: Problems in partner organizations, even in the outer reaches of your ecosystem, can cascade rapidly, causing late deliveries, product recalls, or negative consumer reactions. Increasing levels of scrutiny and legal obligations—in regulated and other industries—are more likely to lead to fines or other enforcement actions. Financial services firms are an obvious target for regulators, but they’re not alone.

When authorities look at any kind of disruption, they pay attention to operational models and governance structures, including the ability to have visibility and strong governance over third-parties. In financial services in many countries, regulators have defined expectations for the role of the board of directors, senior management, and internal audit. The board will want to know how you employ third-parties, who they can hold accountable for third-party relationships at an enterprise level, and what kind of risk defenses you have in place.

Better reputation and brand management: Accelerated news cycles, the rise of social media, and an increasing allegiance to brands with strong ethical and sustainability values. These trends have amplified the scope and speed at which brands can become subject to negative ramifications. Even if the cause may originate elsewhere, it’s the enterprise that suffers. Often with lasting impact on brand reputation.

Improved margins and better cost control: Aside from simply reducing risk exposure, EERM can provide opportunities to rethink practices as well as drive value and competitive advantage. For example, supplier rationalization and consolidation can result in better pricing, enhanced reliability, improvements in meeting service level agreements, and other synergies. Or in the instance of a business partnership, how you assess and govern strategic, reputational, and geopolitical risks can reduce exposure to unforeseen operating challenges. It can also allow you to proactively manage market and product strategy to mitigate financial losses.

In other words, don’t simply look at managing risk as a means to protect value but also a means to create value. Consider the upside and the opportunity to enable innovation and facilitate expansion into new markets. Or even gain access to skills and capabilities not available inside your organization.​

How can you get there?

You can enhance your EERM, but recognize that it’s easy to get overwhelmed when first considering the complexity of the extended enterprise, risk and cost consequences, and strategic opportunities. We believe the focus should be on starting deliberately and thoughtfully and then building from there.

Who are you really doing business with? If you don’t know, find out. Those relationships and risks can provide you with a clearer line of sight into your extended enterprise ecosystem. And the starting point to develop a more mature EERM approach.

Consider these three steps to begin:

Look at your ecosystem and the big picture: Understand what current practices work well and how they can be leveraged for a future state. Then determine which area of the business might be ripe for a pilot program to show quick wins and stakeholder buy-in.

Assign accountability: Charge an executive with developing a governance structure and program that links EERM to business objectives. Managing risk and driving performance requires accountability at a high level in the organization. It also requires a holistic and proactive view of the extended enterprise and your approach to risk.

Understand your risk posture: Define what your risk appetite is and map that against the risk third-parties are bringing to your organization. Improved management can be as simple as rationalizing relationships, getting transparency into the third-parties involved in your extended enterprise, and then reducing that number as needed.​

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.